Hour 0: Well, I never thought this would happen, but my password was leaked. My account has been compromised, and my services have been interrupted. This is bad.
Hour 4: It’s halfway through my work day, and I’ve just regained access to my email account. Now to find out what else may have been tampered with… Services have been down for hours, and management keeps reminding me of the millions of dollars in revenue we’ve lost.
At this point, you’ve probably found all the password reset emails for your major services that you had left unread in your Inbox or Trash folder. You feel like an idiot. You thought you had a super secret password even Elliot Alderson couldn’t crack.
OK, so maybe not everything is up in flames, but there has been some malicious activity on your account that neither you nor your organization approved. So what now?
Let’s talk about 2-Factor Authentication, or 2FA for short.
2FA is an additional layer of account security that relies on a rotating, one-time use, 6-digit code or token.
This unique token is required every time you attempt to log into your account. That means that anyone logging into your account will need to know your super secret password AND have access to your 2FA code.
“That sounds great! How do I use it?”
I’m glad you asked, kind internet civilian.
This depends on the web service. Our 2FA process at Mailgun requires the use of an authenticator app.
There are a number of applications that will handle 2FA tokens for you. The most popular are Google Authenticator, Microsoft Authenticator, and LastPass Authenticator, just to name a few. These applications are typically installed on your smartphone and are supported on iOS, Android, and Windows.
“This looks promising. I have the app, now what?”
Simple. Add Mailgun to your list of services on your authenticator app. You’ll be prompted to either scan a QR barcode or add a secret key.
To find these items, log into your Mailgun account, navigate to the Account Settings page, and select Security. There you will find the option to enable 2FA.
BUT WAIT! Do not finish the setup just yet.
When you click the “Activate 2FA” button, you will see your account’s “paper key”. This key grants you access to the account in the event that your authenticator app or device is no longer working.
Keep this key safe – it is shown only once and cannot be generated again. Even we can’t retrieve your paper key on our side.
“Awesome! It’s been working great. But the app crashed, and I lost my phone. I need help!”
No worries. Contact your friendly neighborhood Mailgun Support team, and we can get you straightened out. Don’t forget that paper key! It’s an immediate lifesaver.
Once you’ve enabled 2FA, your account will be more secure than ever. Even Elliot won’t be able to get in.
But, of course, with online security, your account is only as strong as your weakest point. If you have a multi-user account with Mailgun, we recommend that you also take advantage of Mailgun’s user roles. And if your account ever gets compromised, this article can help.
Keep your keys close and out of prying eyes, your passwords complex, and your management team from firing you.
P.S. 2FA isn’t only for Mailgun. Many other services (Gmail/Google Apps, Facebook, Twitter, Battle.net, Github) support 2FA as well. Opt into 2FA to keep your accounts yours!
Last updated on September 13, 2019